I have denyhosts running on my server to block IPs that repeated fail to login over ssh, for example brute force style attacks. I can see that entries in the auth.log file have not been updated in the hosts.deny file for some time. How can I check what's going wrong and fix denyhosts to get it to update from the auth.log file.

I have tried restarting rsyslog and denyhosts but this doesn't solve the problem.

The contents of auth.log seem to be getting rotated to auth.log.1 instead, so when I switch the contents of these two files then denyhosts can read the auth.log properly.

1 Answer
1

It seems that there was a conflict between logrotate and denyhosts accessing the auth.log file. This can be checked by running lsof on auth.log. Stopping denyhosts and then restarting rsyslog flushed the lock on the file and then restarting denyhosts - as a temporary fix.

Will update if I work out a permanent fix without having to constantly restart these services.